Access control for user accounts using a parallel search approach
US-2017295183-A1 · Oct 12, 2017 · US
Access control for user accounts using a bidirectional search approach
US10360264B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10360264-B2 |
| Application number | US-201615093750-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 8, 2016 |
| Priority date | Apr 8, 2016 |
| Publication date | Jul 23, 2019 |
| Grant date | Jul 23, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An example method is provided for a computing device to perform access control for a user account. The method may include receiving a request for the user account to access a resource, wherein the resource is accessible via the computing device, and determining a permission set required to access the resource. The method may further include performing a bidirectional search to determine whether the user account is assigned to the permission set, the bidirectional search including a first search and a second search. In response to determination that the user account is included in a nested group membership that assigns the user account to the permission set based on the bidirectional search, the method may include permitting the user account to access the resource using the permission set.
First claim
Opening claim text (preview).
We claim: 1. A method for a computing device to perform access control for a user account, the method comprising: receiving a request for the user account to access a resource, wherein the resource is accessible via the computing device; determining a permission set required to access the resource; performing a bidirectional search to determine whether the user account is assigned to the permission set, comprising: performing a first search of a data structure comprising nesting of user groups, starting from the user account and iteratively generating a first partial tree, to determine first user groups that the user account is a direct member or an indirect member through at least one other first user group; simultaneously performing a second search of the data structure comprising nesting of user groups, starting from the permission set and iteratively generating a second partial tree, to determine second user groups that are directly assigned the permission set or indirectly assigned the permission set through at least one other second user group; and merging, at each iteration of the first search and the second search, the first partial tree with the second partial tree to determine whether there is a path from a first root node representing the user account to a second root node representing a role associated with the permission set; determining if the user account has a nested user group membership that assigns the user account to the permission set based on the bidirectional search; and in response to determination that the user account has the nested user group membership that assigns the user account to the permission set based on the bidirectional search, permitting the user account to access the resource using the permission set. 2. The method of claim 1 , wherein the first partial tree includes the first root node and multiple first child nodes representing the nested user group membership of the user account, and each first child node represents a user group of which the user account is a direct member or an indirect member through at least one other user group. 3. The method of claim 1 , wherein the second partial tree includes the second root node and multiple second child nodes each representing a user group directly assigned with the role or indirectly assigned with the role through at least one other user group. 4. The method of claim 1 , wherein the method further comprises: receiving a further request for a second user account to access the resource or a second resource; and determining whether to permit or deny access to the resource or the second resource based on the first partial tree and second partial tree. 5. The method of claim 1 , wherein determining the permission set comprises: determining a first permission set and a second permission set required to access the resource. 6. The method of claim 5 , wherein the performing the bidirectional search comprises: performing a first bidirectional search and a second bidirectional search in parallel, wherein the first bidirectional search is to determine whether the user account is assigned with the first permission set and the second bidirectional search is to determine whether the user account is assigned with the second permission set. 7. A non-transitory computer-readable storage medium that includes a set of instructions which, in response to execution by a processor of a computing device, cause the processor to perform a method to provide access control for a user account, the method comprising: receiving a request for the user account to access a resource, wherein the resource is accessible via the computing device; determining a permission set required to access the resource; performing a bidirectional search to determine whether the user account is assigned to the permission set, comprising: performing a first search of a data structure comprising nesting of user groups, starting from the user account and iteratively generating a first partial tree, to determine first user groups that the user account is a direct member or an indirect member through at least one other first user group; simultaneously performing a second search of the data structure comprising nesting of user groups, starting from the permission set and iteratively generating a second partial tree, to determine second user groups that are directly assigned the permission set or indirectly assigned the permission set through at least one other second user group; and merging, at each iteration of the first search and the second search, the first partial tree with the second partial tree to determine whether there is a path from a first root node representing the user account to a second root node representing a role associated with the permission set; determining if the user account has a nested user group membership that assigns the user account to the permission set based on the bidirectional search; and in response to determination that the user account has the nested user group membership that assigns the user account to the permission set based on the bidirectional search, permitting the user account to access the resource using the permission set. 8. The non-transitory computer-readable storage medium of claim 7 , wherein the first partial tree includes the first root node and multiple first child nodes representing the nested user group membership of the user account, and each first child node represents a user group of which the user account is a direct member or indirect member through at least one other user group. 9. The non-transitory computer-readable storage medium of claim 7 , wherein the second partial tree includes the second root node and multiple second child nodes each representing a user group directly assigned with the role or indirectly assigned with the role through at least one other user group. 10. The non-transitory computer-readable storage medium of claim 7 , wherein the method further comprises: receiving a further request for a second user account to access the resource or a second resource; and determining whether to permit or deny the further request based on the first partial tree and second partial tree. 11. The non-transitory computer-readable storage medium of claim 7 , wherein determining the permission set comprises: determining a first permission set and a second permission set required to access the resource. 12. The non-transitory computer-readable storage medium of claim 11 , wherein the performing the bidirectional search comprises: performing a first bidirectional search and a second bidirectional search in parallel, wherein the first bidirectional search is to determine whether the user account is assigned with the first permission set and the second bidirectional search is to determine whether the user account is assigned with the second permission set. 13. A computing device configured to perform access control for a user account with nested user group membership, the computing device comprising: a processor; a non-transitory computer-readable medium having stored thereon instructions that, when executed by the processor, cause the processor to: receive a request for the user account to access a resource, wherein the resource is accessible via the computing device; determine a permission set required to access the resource; perform a bidirectional search to determine whether the user account is assigned to the permission set, comprising: performing a first search of a data structure comprising nesting of user groups, starting from the user account and iteratively generating a first partial tree, to determine first user groups that t
Assignees
Inventors
Classifications
- H04L63/102Primary
Entity profiles · CPC title
of parallel queries · CPC title
- G06F16/9027Primary
Trees · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10360264B2 cover?
- An example method is provided for a computing device to perform access control for a user account. The method may include receiving a request for the user account to access a resource, wherein the resource is accessible via the computing device, and determining a permission set required to access the resource. The method may further include performing a bidirectional search to determine whether…
- Who is the assignee on this patent?
- Vmware Inc, Wmware Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/102. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 23 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).